On 2025-05-23 at 08:49:01 UTC-0400 (Fri, 23 May 2025 14:49:01 +0200)
Benoît Panizzon via mailop <[email protected]>
is rumored to have said:
Hi List
We get bombarded with loads of spam mails advertising .my domains to
redirect traffic.
As soon as one domain is listed, another one is used.
Source ip changes all the time.
Only common characteristic is:
.my domain registered @ namecheap
I had a quick search through SpamAssassin. There is the AS lookup
module
to add a score based on the source IP being announced by a particular
AS.
Is there something similar for domains in the email body being
registered with a specific registrar? Is there another mail filter
possibly capable of doing such a lookup or another way to match such
emails?
There is nothing in SA to check registrar, due to the chronic shabbiness
of whois which is only recently being fixed by deployment of rdap.
However, there is the ability to check the nameserver of the From
address by defining rules with check_rbl_ns_from() (in
Mail/SpamAssassin/Plugin/DNSEval.pm.) An example exists in the KAM
ruleset:
header PCCC_FROM_BAD_NS
eval:check_rbl_ns_from('pccc-ns', 'wild.pccc.com.', '127.0.1.1')
describe PCCC_FROM_BAD_NS DNS server of From address
found on PCCC WILD RBL (https://raptor.pccc.com/RBL)
tflags PCCC_FROM_BAD_NS net
score PCCC_FROM_BAD_NS 2.0
priority PCCC_FROM_BAD_NS -100
--
Bill Cole
[email protected] or [email protected]
(AKA @[email protected] and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
